Helpful ReplyConfused about Forticlient EMS server and Fortigate relationship.

Author
jbrashear
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/12/02 06:39:22
  • Status: offline
2016/12/14 08:31:17 (permalink)
0

Confused about Forticlient EMS server and Fortigate relationship.

Hi all,
 
I'm setting up the SSL VPN for my company and, I'm confused about how the VPN is licensed.  In my previous experience with Fortinet products, you had to have a license for the number of VPN clients you were going to have.  When we bought 4 new 300D's my sales person told me that the licensing is handled by the EMS server now.  I have installed the EMS server and it's licensed for 150 clients.  Where I get confused is how does the Fortigate know about the EMS server, or does it need to?  Honestly, I'm not at the point where I need full enterprise management outside of what the Fortigate can do itself, and all I want is to ensure that I can have more than the 10 users connect.  
 
Do I point the forticlients at the EMS server for telemetry, or the fortigate itself?  If the Fortigate is doing he telemetry, how does it integrate with the EMS?  The only thing I found in the cookbook was for implementing an EMS to manage internal devices on the LAN (ISFW).  Again, all I'm interested in at this point is making sure that more than the default 10 clients can connect to the SSL VPN.  I hope this makes sense.....
 
 
JB
#1
SteveG
Gold Member
  • Total Posts : 176
  • Scores: 12
  • Reward points: 0
  • Joined: 2014/11/19 00:26:22
  • Status: offline
Re: Confused about Forticlient EMS server and Fortigate relationship. 2016/12/15 02:12:29 (permalink) ☄ Helpfulby jbrashear 2016/12/15 10:22:55
0
We use EMS to manage our FortiClient installs. Unfortunately our supplier has no idea what licensing is required! They reckon, despite having 1500 EMS licenses we also need licensees on the FortiGates too (we want to enable the FortiClient enforcement on the LAN), although I don't see why. Before we had EMS the FortiClients would register to the FortiGates but we only had the default 10 licenses on each FortiGate so users would end up with an error message once they VPN'd in. Now the FortiClients are registered to EMS the FortiGate registration attempts have stopped. We've been pushing our supplier for a definitive answer for months now, I'm assuming the lack of understanding is on their part as I can't believe FortiNet don't know, it's their product!
 
We've not configured the telemetry feature yet, although all the FortiClients are sending logs to our FAZ. I may be wrong here but it feels to me that FortiNet are trying to remove the reliance on FortiGates when using EMS. We've have no config tie in between EMS and the FortiGates we have. I may be completely wrong though!
 
Confused? I certainly am :-o
 
FYI, We have a number of support calls open at the moment as EMS is very buggy. We bravely rolled out FortiClient as the desktop AV here. Once the bugs are fixed it will be a great tool.
#2
RobertReynolds
Bronze Member
  • Total Posts : 56
  • Scores: 4
  • Reward points: 0
  • Joined: 2016/06/29 21:27:23
  • Location: Sydney, Australia
  • Status: offline
Re: Confused about Forticlient EMS server and Fortigate relationship. 2016/12/20 20:11:08 (permalink) ☄ Helpfulby SteveG 2016/12/21 00:49:29
0
There are two parts of FortiClient now, Endpoint Management, and Endpoint Telemetry and Compliance. Endpoint management is for configuration management and provisioning of FortiClient profiles (what you used to be able to do on the FortiGate), this is a separate piece of software that runs on a windows server as a member of the domain (The EMS). You get 10 free licenses, and from then on it’s a paid feature. The Telemetry and compliance part is licenses on the FortiGate, this allows you to do some network access control. This also comes with 10 free.
 
Management == EMS
Management and compliance == EMS + Telemetry.
 
To use the FortiClient in standalone SSL VPN mode only, there is no extra licensing required.
post edited by RobertReynolds - 2016/12/20 20:21:49
#3
SteveG
Gold Member
  • Total Posts : 176
  • Scores: 12
  • Reward points: 0
  • Joined: 2014/11/19 00:26:22
  • Status: offline
Re: Confused about Forticlient EMS server and Fortigate relationship. 2016/12/21 00:50:29 (permalink)
0
That's interesting, so if you want to do the telemetry side you also need the (IPSec) VPN licenses on the FortiGate.
#4
MikePruett
Platinum Member
  • Total Posts : 677
  • Scores: 17
  • Reward points: 0
  • Joined: 2014/01/08 19:39:40
  • Location: Montgomery, Al
  • Status: offline
Re: Confused about Forticlient EMS server and Fortigate relationship. 2016/12/21 14:42:06 (permalink) ☄ Helpfulby SteveG 2016/12/22 01:03:56
0
I just deployed EMS for a client. They paid the $7 per license and were on their way. We are able to configure and set everything we wanted based on that. Compliance etc included because it will use the EMS for the compliance settings etc.

Mike Pruett
Fortinet GURU
#5
neonbit
Expert Member
  • Total Posts : 517
  • Scores: 67
  • Reward points: 0
  • Joined: 2013/07/02 21:39:52
  • Location: Dark side of the moon
  • Status: offline
Re: Confused about Forticlient EMS server and Fortigate relationship. 2017/01/16 21:44:05 (permalink) ☄ Helpfulby SteveG 2017/01/16 23:55:33
5 (1)
I've been testing this out in my lab over the last week and my understanding is that if you want to enforce compliance (ie: users can't go through the firewall unless they have AV running, no critical vulnerabilities etc), then you'll need both the EMS license and the FortiGate license.
 
If you just have the EMS server license then you can centrally manage the Forticlients and push out configs, but the FortiGate will not be able to determine if ForitClient is installed and what it's compliance posture is.
 
The FortiClient needs to be registered to the FortiGate for it to determine the compliance posture.
 
To do this with both the FortiGate and EMS Server you'll need to import the FortiClient policy from the FortiGate to the EMS server. The EMS server will then sync the Forticlient policy from the FortiGate every X minutes.
 
On the EMS server you then setup Telemetry IP addresses (ie the FortiGate's IP address) and push them to the FortiClients.
 
Once the FortiClients get this, they will proceed to register to the FortiGate and confirm it's compliance status.
 
The FortiClient's logs and management will still be done through the EMS, but the config will be changed on the FortiGate (so ultimately the EMS server is being used as a proxy between the FortiGate config and FortiClient config). So you make a FortiClient profile change on the FortiGate, it gets updated on the EMS server, it then gets pushed to the FortiClient.
 
If you wanted 100 devices to be have both this central config management and compliance you will need to purchase 100 EMS licenses, plus the FortiClient license on your FortiGate (or FortiGates if you have multiple sites that you want to enforce compliance).
 
Hope it makes sense!
post edited by neonbit - 2017/01/16 21:46:03
#6
SteveG
Gold Member
  • Total Posts : 176
  • Scores: 12
  • Reward points: 0
  • Joined: 2014/11/19 00:26:22
  • Status: offline
Re: Confused about Forticlient EMS server and Fortigate relationship. 2017/01/16 23:59:06 (permalink)
0
That's a great post, you seem to understand the FortiGate/FortiClient/EMS licensing better than Fortinet ;-)
 
Having said that I had a lengthy conf call with Fortinet this week and can confirm what you've stated is absolutely correct.
#7
Jim_FH
Bronze Member
  • Total Posts : 28
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/08/03 07:53:26
  • Status: offline
Re: Confused about Forticlient EMS server and Fortigate relationship. 2017/01/19 13:24:52 (permalink)
0
Mike:
 
Are you sure you're able to do compliance with the EMS only?  My understanding is what Robert said above...that is you want compliance in addition to management, then you need licenses for the 'gates AS WELL AS on the EMS.  If you can, I'd love to know where that's configured.  
 
They clearly moving towards EMS and away from the Fortigates for endpoint control, and it's frustrating that we can't get both features with one license, preferably the EMS.  
 
thanks,
Jim 
#8
MikePruett
Platinum Member
  • Total Posts : 677
  • Scores: 17
  • Reward points: 0
  • Joined: 2014/01/08 19:39:40
  • Location: Montgomery, Al
  • Status: offline
Re: Confused about Forticlient EMS server and Fortigate relationship. 2017/01/19 14:35:28 (permalink)
0
Perhaps Fortinet will work deals in situations like that.
 
You do need the Gate to be able to enforce compliance etc for sure. 
 

Mike Pruett
Fortinet GURU
#9
Jim_FH
Bronze Member
  • Total Posts : 28
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/08/03 07:53:26
  • Status: offline
Re: Confused about Forticlient EMS server and Fortigate relationship. 2017/01/19 14:39:04 (permalink)
0
Mike:
 
Yep, i verified that with my rep as well.  My EMS licenses won't work on the Fortigates, and I need more than the 10 free licenses offered.  
 
Too bad, i just can't afford to buy 2x licenses for the amount of clients I have to manage.  Hopefully they will unify the licensing in the future.
 
thanks,
 
Jim
#10
Holy
Gold Member
  • Total Posts : 168
  • Scores: 4
  • Reward points: 0
  • Joined: 2014/08/07 03:56:56
  • Status: offline
Re: Confused about Forticlient EMS server and Fortigate relationship. 2017/01/19 22:38:59 (permalink)
0
from forticlient admin guide:
 

Purchased license
Each purchased license allows management of one FortiClient endpoint. You will need to purchase a minimum of
100 endpoints and you have an option to have this EMS license for a maximum three year term. You can specify
the number of endpoints and the duration of term at the time of purchase.
You can use a licensed FortiClient EMS to deploy, provision, and manage FortiClient
endpoints. However, if have a FortiGate in your network, you can buy an Add-On
FortiGate Endpoint license to enforce Endpoint Compliance on the Firewall while endpoints
are being managed by EMS. Using FortiGate with EMS is optional.
 
so looks like you do have to buy 2 licenses

NSE 8 
NSE 1 - 7
 
#11
Jump to:
© 2019 APG vNext Commercial Version 5.5